Securing Voice over IP (VoIP) doesn't have to be a challenge for small and medium-sized businesses (SMBs). VoIP is basically a phone call over the Internet. It offers the same promises -- and pitfalls -- as the Internet. The promises are cheap and easy communication over a readily available and easy-to-use public network -- the Internet. The pitfalls are the same security weaknesses of that network, which wasn't originally designed for security -- or phone calls, for that matter.
But it's not as scary as it seems for cash-strapped SMBs with limited IT staffs. Most of the tuning required to secure VoIP involves the same efforts as hardening Internet and Web connections your company probably already has in place. And most of that work can be handled by your existing network staff, even without a dedicated information security department.
Even if your SMB doesn't host its own Web site or Internet service, like a larger enterprise, it still has connections to the Internet through conventional routers. Handling VoIP for them should be a snap.
Security comes first
Before delving into the four best practices for securing VoIP and how to apply them to SMBs, be aware of the overall security issues around VoIP.
There are three major security concerns around VoIP, and they're the same security issues as those for IP traffic, in general. The three issues are:
VoIP can also serve as an entry point into your company, just like any other Internet connection, for viruses, spyware and malware. But this isn't a specific problem of VoIP. Denial-of-service (DoS) attacks are also possible via VoIP but, again, this is a general IP protocol issue and not just a VoIP concern.
IP traffic isn't authenticated. It moves freely over the Internet and can come from anywhere. This is a problem inherent in the TCP/IP protoco
To continue reading for free, register below or login
To read more you must become a member of SearchCIO-Midmarket.com
l. For VoIP, it means a malicious user could fake, or spoof, your company's IP address and appear on the caller ID of an unsuspecting customer. This tactic is known as VoIP phishing, which, like its email counterpart, is meant to entice customers to give up confidential account information over the phone to thieves posing as your company employees.
IP traffic moves in the clear by default. It can be easily picked up by conventional packet sniffers like Wireshark (formerly Ethereal), dsniff, Ettercap and their ilk. Any conversations on your new shiny VoIP phones can be eavesdropped by sniffing unencrypted traffic traveling over the Internet. Unlike regular phone lines, which require some effort to tap through the phone company, VoIP can potentially expose your SMB to the whole world just by being on the Internet.
And, just as spam is delivered via email, junk voicemail messages can be pumped into your company through VoIP, clogging your SMB's phones with SPIT. This is in addition to a DoS attack against your company, just like any other from the Internet, through your VoIP connection.
So, what's an SMB to do to protect itself from the dangers of VoIP? Here are four suggestions:
Like the rest of your network servers, baseline security controls should be in place for your VoIP system. Here's how:
Implementing VoIP is not as scary, or as much of a burden, as it seems. Most of the tasks for securing VoIP can be handled by your existing IT staff, since it is already integrated into your network.
Joel Dubin, CISSP, is an independent computer security consultant in Chicago. He is a Microsoft MVP in security, specializing in Web and application security, and the author of The Little Black Book of Computer Security available from Amazon. You can visit his blog, The IT Security Guy, at www.theitsecurityguy.com.
